Extending SAT Solvers to Cryptographic Problems · M. Soos, K. Nohl, C. Castelluccia Extending SAT Solvers to Crypto July 1, 2009 17 / 22. Optimising representation of non-linear

Extending SAT Solvers to Cryptographic Problems

Mate Soos, Karsten Nohl, Claude Castelluccia

INRIA Rhône-Alpes, University of Virginia

July 1, 2009

M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 1 / 22

Table of Contents

1 BackgroundDPLL-based SAT solversStream ciphers

2 Adapting the SAT solverXOR-supportGaussian eliminationDynamic behaviour analysis

3 Adapting the cipher representationLogical circuit representationRepresentation of non-linear functions

4 Implemented attacksCrypto-1 and HiTag2Bivium


Outline






DPLL-based SAT solvers

A tool to solve a problem given in clauses (’and’ of ’or’-s)

Performs unit propagation

Picks a variable to branch on, works on the two sub-problems

Optimisations:

learningnon-chronological backjumpingrestartingvariable choiceimplementation details

We used MiniSat2


Stream ciphers

Uses a set of shift registers

Shift registers’ feedback function is either linear or non-linear

Uses a filter function to generate 1 secret bit from the state

Working: clock-filter-clock-filter. . . = feedback-filter-feedback-filter. . .


Outline






Problem with XOR-s

The trutha⊕ b⊕ c

must be put into the solver as

a ∨ b ∨ c (1) a ∨ b ∨ c (2)a ∨ b ∨ c (3) a ∨ b ∨ c (4)

So, it takes 2n−1 clauses to model an n-long XOR


Problem with XOR-s

To model the truth

x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ x8

the following truths are put into the SAT solver (cutting)

y1 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ x4y2 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ x8 y1 ⊕ y2

Problems: still too long, extra vars


Solution to XOR-s

Xor-clauses [Massacci00Taming]:

a⊕ b⊕ c

represents all the regular clauses

a ∨ b ∨ c (1) a ∨ b ∨ c (2)a ∨ b ∨ c (3) a ∨ b ∨ c (4)

and changes appearance to match the regular clause that is the mostpertinent to the situation. Gives this changed appearance to theanalyze() method

Uses a watched variable scheme instead of a watched literal scheme

Gain:

2.2x in speed

order of magnitude in memory


Gaussian elimination

Gaussian elimination is an efficient algorithm for solving systems oflinear equations

XOR-clause is a linear equation → use Gauss elim. to solve thesystem of XORs-clauses

xor-clauseswith v8 assigned to true

v10 v8 v9 v12 const1 − 1 1 10 − 1 1 10 − 0 1 00 − 0 0 0

actual xor-clauses

v10 v8 v9 v12 const1 1 1 1 00 0 1 1 10 1 0 1 10 1 0 0 1

make temp. XOR-clause out of the interesting clauses found

given prop. row 3, save temp. XOR-clause for a short while

given a conflict, give it to analyze() and delete it


Gaussian elimination results

300600900

12001500

0 3 6 9 12 15 18

Tim

e(s)

Gaussian elimination until depth

04e+088e+08

1.2e+091.6e+09

0 3 6 9 12 15 18

No.

ofpr

opag

atio

ns

(∼se

arch

spac

e)

Gaussian elimination until depth

Search space reduced by up to 87%However, takes more time to run the algo than the benefits it bringsPossible to improve the implementation


Visual representation

It’s hard to follow how a solver operates. So we implemented dynamicbehaviour analysis

Figure: Graphviz visualisation of an example search for the Crypto-1 cipher’sstates. The tree is read from left to right, top to bottom: the left- andbottommost pentagon is the first conflict clause, the right- and bottommost circleis the satisfying assignment.


Detailed statistics

Statistics generated:

No. times variable branched upon

Number of conflicts made by clause groups

Propagation depth order of clause groups

Avg. conflict depth order of clause groups


Outline






Logical circuit representation

Best to look at the cipher as a logical circuit inside the solver. The logicalcircuit has variables (boxes), functions (hexagons) and the knownkeystream.


Measures of the logical circuit representation

Measures of this logical circuit representation:

Depth of each keystream bit is the number of functions traversedfrom the reference state

Reference state dependency numbers: no. bits each keystream bitdepends on. A large part of these must be guessed before evaluationcan take place

Function difficulty. When traversed, these must be calculated

Goal: minimise all of these


Generate logical circuit from CNF

We wrote an extension to MiniSat to visualise the logical circuit. ExampleHiTag2 logical circuit:

feed

back

func

. 48

stat

e 48

fa [3

6,45

,46,

48]

stat

e 47

feed

back

func

. 50

feed

back

func

. 51

feed

back

func

. 52

fa [3

5,44

,45,

47]

fa [3

7,46

,47,

49]

stat

e 46

feed

back

func

. 49

fa [3

4,43

,44,

46]

stat

e 43

fa [3

3,42

,43,

45]

stat

e 42

stat

e 41

stat

e 30

fb [2

7,28

,30,

32]

fb [2

9,30

,32,

34]

fb [3

0,31

,33,

35]

stat

e 26

fb [1

7,21

,23,

26]

fb [2

0,24

,26,

29]

stat

e 23

fb [1

9,23

,25,

28]

stat

e 22

fb [1

6,20

,22,

25]

fb [1

8,22

,24,

27]

stat

e 16

fb [9

,13,

15,1

6]

fb [1

0,14

,16,

17]

stat

e 8

fb [8

,12,

14,1

5]

fa [4

,5,7

,8]

fa [5

,6,8

,9]

stat

e 7

fb [7

,11,

13,1

4]

fa [3

,4,6

,7]

stat

e 6

fa [2

,3,5

,6]

stat

e 3

stat

e 2

fa [1

,2,4

,5]

stat

e 0

stat

e 49

stat

e 44

stat

e 31

fb [2

8,29

,31,

33]

fb [3

1,32

,34,

36]

stat

e 27

stat

e 24

stat

e 17

fb [1

1,15

,17,

18]

stat

e 9

stat

e 4

stat

e 1

stat

e 50

stat

e 45

stat

e 32

stat

e 28

stat

e 25

stat

e 18

stat

e 10

stat

e 5

stat

e 51

stat

e 33

stat

e 29

stat

e 19

stat

e 11

stat

e 52

stat

e 34

stat

e 20

stat

e 12

stat

e 13

stat

e 14

stat

e 15

stat

e 21

stat

e 35

stat

e 36

stat

e 37

fa [1

,2,4

,5]

inte

rnal

var

fcou

tput

0

fb [7

,11,

13,1

4]

inte

rnal

var

fb [1

6,20

,22,

25]

inte

rnal

var

fb [2

7,28

,30,

32]

inte

rnal

var

fa [3

3,42

,43,

45]

inte

rnal

var

fa [2

,3,5

,6]

inte

rnal

var

fcou

tput

1

fb [8

,12,

14,1

5]

inte

rnal

var

fb [1

7,21

,23,

26]

inte

rnal

var

fb [2

8,29

,31,

33]

inte

rnal

var

fa [3

4,43

,44,

46]

inte

rnal

var

fa [3

,4,6

,7]

inte

rnal

var

fcou

tput

2

fb [9

,13,

15,1

6]

inte

rnal

var

fb [1

8,22

,24,

27]

inte

rnal

var

fb [2

9,30

,32,

34]

inte

rnal

var

fa [3

5,44

,45,

47]

inte

rnal

var

fa [4

,5,7

,8]

inte

rnal

var

fcou

tput

3

fb [1

0,14

,16,

17]

inte

rnal

var

fb [1

9,23

,25,

28]

inte

rnal

var

fb [3

0,31

,33,

35]

inte

rnal

var

fa [3

6,45

,46,

48]

inte

rnal

var

fa [5

,6,8

,9]

inte

rnal

var

fcou

tput

4

fb [1

1,15

,17,

18]

inte

rnal

var

fb [2

0,24

,26,

29]

inte

rnal

var

fb [3

1,32

,34,

36]

inte

rnal

var

fa [3

7,46

,47,

49]

inte

rnal

var


Optimising representation of non-linear functions

Simple GF(2) polynomial

x1 + x1x2 + x2x3 + x1x3

It is usually represented with each non-single monomial expressed as a setof clauses, setting additional variables i1 . . . i3. The polynomial thenbecomes

x1 + i1 + i2 + i3

With this representation, no. of clauses is 3× 3 regular + 1 xor-clause,avg. clause length 4.14. Three extra variables also needed

However, representation using a Karnaugh table is

x̄1 ∨ x̄3 x̄2 ∨ x3 x̄1 ∨ x̄2


Outline






Crypto-1&HiTag2

Crypto-1

Best attack with SAT-solvers[Courtois08Algebraic]: 200 seconds, butthis uses mathematical means to bring down the complexity (simple,as Crypto-1 uses only an LFSR)

We break it in 40 seconds.

HiTag2

Without our optimisation: 221 s to breakTakes 214.5 s to break with our technique


Bivium

Bivium is a simplified version of Trivium. Best attack against it takes 243 s.

100

1000

10000

100000

1e+06

42 44 46 48 50 52 54 56

Tim

e(s

)

No. of randomly guessed bits

We break it in 236.5 s.


Thank you for your time

Thank you for your time!


BackgroundDPLL-based SAT solversStream ciphers

Adapting the SAT solverXOR-supportGaussian eliminationDynamic behaviour analysis

Adapting the cipher representationLogical circuit representationRepresentation of non-linear functions

Implemented attacksCrypto-1 and HiTag2Bivium

Extending SAT Solvers to Cryptographic Problems · M. Soos, K. Nohl, C. Castelluccia Extending SAT Solvers to Crypto July 1, 2009 17 / 22. Optimising representation of non-linear

Documents